How To Protect Your Website From Brute Force Attack

Is your WordPress site safe
Is your WordPress site safe?
October 22, 2015
How to increase your website conversion rate
How to increase your website conversion rate?
November 23, 2015
Show all
How To Protect Your Website From Brute Force Attack

Over 30,000 web sites are hacked every day and hackers work dilligently to find ways to compromise WordPress based web sites.

The best way to prevent these attacks and protect your business is to understand them and fight back!

What is a Brute Force Attack?

It is the most common attack by hackers, also known as brute force cracking. These attacks are not new. They have been used for 15 years, but this year they are definitely at an all time high.

The brute force attack is a trial and error method used by application programs to decode encrypted data such as passwords, data encryption standard (DES) keys, or personal identification numbers (PIN). As a matter of fact, these attacks can be used against any type of encryption.

The brute force attacks are not executed by individuals, but bots which can test millions of login combinations in a short amount of time. This method is likely to start at one digit passwords, then moving on to two digit passwords and so on, until the password is cracked. The brute force attack is most commonly used by hackers to crack encrypted data, but it is also used by security analysts to test company network security.

There are three groups of options which hackers can modify in order to crack your account with the brute force attack:

  • Brute force charset – this group of options allows hackers to select predefine character sets (Lower case Latin (a,b,c,..z), Upper case Latin (A, B, C,…Z), Digits (0…9), Special symbols (!, @, %), All printable (ASCII 32…127) and All (ASCI 1..255)) or they can define custom character set (charset) and the brute force attack will guess a password by trying all probable variants by given character set.
  • Password length and position – this group of options allows hackers to define the minimum and maximum length of the passwords that will be checked. The number of possible combinations grows rapidly as the length of the password increases and so does the length of time of the attack.
  • Distributed attack – if an attack is distributed, that means that more than one computer is participating in the attack. This group of options allows hackers to define how many computers are participating in the attack and select the same setting for all computers so the attack could be more effective.

There are several types of different brute force attacks. For example, some forms of the brute force attack might try combinations of letters and numbers to crack your code, use a dictionary file or commonly used passwords and check all those combinations until it gains access to your account. There are even more complicated brute force attacks which use every possible combination of symbols, letters and numbers to crack your password, but it can take a long time to complete this kind of attack. In short, hackers will use the brute force attack to test millions of login combinations in order to compromise your WordPress web site. This kind of hacker attack will not stop until your password is cracked. The more complicated brute force is, the more time it will take to finish the attack. You can calculate how long the brute force attack will take to crack a password using Brute Force Password Calculator.

There are three types of the brute force attacks:

  1. Dictionary Attack – this attack will use words from a dictionary and literature, or list of common passwords to guess your password. This method can be very effective because a lot of people use weak and common passwords like admin or password.
  2. Search Attacks – this kind of attack can be very slow because it will try to cover all possible combinations of a given character set and a password length range. The complexity of this type of attack is very high due to the huge key space available for the proposed system.
  3. Rule-based search attacks – by creating a certain rule for password generation, rule-based search attack enables an increase of combination space coverage without slowing down the process too much.

How to protect your website?

Brute-force attacks may not be complicated to understand, but it can be difficult to protect against. These attacks can be used against any type of encryption. The speed at which someone might brute-force encryption depends on hardware – it increases as technology becomes faster and capable of doing more calculations per second.  Actually, there is no way to protect yourself completely, but there are a few steps you can take to defend against these attacks:

  • Install Security Plugin – Install a highly trusted and rated security plugin to help protect you against brute force attacks. A good security plugin will make it easy to implement the following recommendations.
  • Use a strong password – Try to use hard-to-guess passwords. You should definitely avoid dictionary words or common series of numbers in your passwords. WordPress Password Strength Detector can come in handy when making your password strong. Also, changing your password periodically can help your website stay safe.
  • Limit the number of log in attempts – Limit the number of failed login attempts your site will allow before locking out the user. If users enter the wrong password more than the specified number of times, they will be locked out. Also, you should extend the period between two possible logins after a wrong password was entered. The more often they enter a wrong password, the longer they have to wait to try again. This way, a high-performance computer can be slowed down in spite of the large number of calculations it could possibly do.
  • Ban specified IP address – With a good security plugin installed and from the WordPress panel you will be able to see how many times your website has come under attack. If you notice that the same IP address is trying to access multiple times your site, you should definitely ban or block that IP address.
  • Update and Upgrade your WordPress – It is crucial to always update your site to the latest WordPress version when you see the notification in your WordPress admin section. This also applies to all installed plugins and themes. A few quick steps to update your version will save you from potentially costly problems down the road.

It is safer if you do not do it on your own!

If there was ever been any concern for website security, there exists now critical issues for anyone who wants to do business on the Web. In addition to these simple do-it-yourself steps, there are also various plugins that you can install to help increase your website security.  Sadly, that probably will not be enough. There is no way to create immunity from brute force attacks, one can only continue implementing best practice steps to protect against known vulnerabilities.

Today’s hacker attacks are sophisticated, highly distributed and well organized – making information security more complex than ever. Don’t leave your security to chance. Our experts receive breaking alerts and implement next-level protection measures in real time. Not only can we can facilitate highly secure hosting and web site maintenance, we can also significantly reduce the chances that your WordPress web site will succomb to a brute force or other malicious hacker attacks.

We custom tailor high-speed, secure hosting and website maintenance solutions for each client.   Don’t lose sleep over website security.  We’ve got you covered.

Jillian Vanarsdall
Jillian Vanarsdall
Founder of Blue Iris Marketing. An inbound marketing agency assisting businesses, from start-ups to high-growth firms, to phenomenally tell their unique story in a noisy digital world. Our services include inbound marketing, Wordpress web design and development, SEO, and social media.

Leave a Reply

Your email address will not be published. Required fields are marked *

two × three =